Health ministry lacked means to protect personal info

The ministry of health lacked reasonable security to protect personally identifiable information from unauthorized access or disclosure, Information and Privacy Commissioner Elizabeth Denham found in a report released today.

"This investigation examined three breaches of personal health data for research purposes that happened because the Ministry failed to translate privacy and security policies into meaningful business practices," Denham's investigation report said. "The primary deficiency at the Ministry was a lack of effective governance, management and controls over access to personal health information."

The government announced the privacy breaches in September 2012, as well as concerns about contracting and conflicts of interest.

The government's investigation led to the termination of seven health ministry employees and a stop on research contracts, some of which are yet to restart. It has also sparked five lawsuits and a grievance process on behalf of three of the former employees, one of whom was found dead in January.

"Ministry employees were able to download large amounts of personal health data onto unencrypted flash drives and share it with unauthorized persons, undetected," Denham wrote.

"At the operational level, the Ministry should ensure that access to personal health data is restricted to employees who have a clear operational need," she said. "There should be technical safeguards in place to prevent employees from unauthorized copying or transferring that data from their workstations. In cases where transfer of data is authorized, employees should not use portable storage devices, except as a last resort. Even in those circumstances, such devices must be encrypted."

Denham's reported noted that there is a public interest in having health data shared appropriately so that researchers can seek "new solutions for patients and improved health outcomes for citizens."

The report makes 11 recommendations, all of which Health Minister Terry Lake said the government accepts and will implement.

"We of course are concerned about what happened," he said, mentioning the investigation is still ongoing. "I think people expect their personal information to be kept confidential and we recognize we can do a better job."

Lake said the ministry hired Deloitte to consult on data security. The firm's June 25, 2013 report is available on the ministry's website.

Asked why the investigation, which began several months before it became public, has taken so long, Lake said, "An investigation like this has to be thorough and robust. We hope to have it done by the end of summer, but it's important to get it right."

He said he will be able to speak more about it when the report is complete, but he wasn't sure if the government would be able to release the results.

The government continues to share information with the RCMP, the Auditor General and Denham's OIPC, he said.

Andrew MacLeod is The Tyee's Legislative Bureau Chief in Victoria. Find him on Twitter or reach him here.